Disability Assistance for Older People (Scotland) Regulations 2024: Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) considering the potential impacts of the Disability Assistance for Older People (Scotland) Regulations 2024.


3. Data Controllers

Organisation

Social Security Scotland

Activities

Social Security Scotland collects and stores personal data in order to make determinations of entitlement to Scottish Government benefits and for the ongoing management of social security awards. This will include PADP following the regulations coming into force.

Social Security Scotland will be the Data Controller for all client data in Scotland once the Attendance Allowance case transfer process has completed.

Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?

Yes

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing

Article 6(1)(e) – processing is necessary for the performance of a task carried out under the Social Security (Scotland) Act 2018 in the public interest or in the exercise of official authority vested in the controller.

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data

Include condition from Schedule 1 or 2 of the Data Protection Act 2018

Article 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of law which shall be proportionate to the aim of maximising benefit take-up and reducing barriers to accessing social security benefits in Scotland. Processing will respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.

Article 9(2)(b) - processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of social security and social protection law in so far as it is authorised by domestic law or a collective agreement pursuant to domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.

Processing satisfies the conditions of Schedule 1 of the Data Protection Act 2018 in that processing is necessary for the exercise of a function conferred on Social Security Scotland.

An appropriate policy document is held.

Processing of data relating to an individual being held in legal detention will be required for PADP. To determine eligibility or to process an individual’s change of circumstances, Social Security Scotland will need to know if they have been admitted to or have left legal detention.

Processing does not pertain to the nature of the individual’s conviction and is only in regard to whether they have been legally detained for the purposes of social security. An appropriate policy document is held.

Law Enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018

For law enforcement purposes, Social Security Scotland is a competent authority under paragraph 2 of Schedule 7 of the Data Protection Act 2018. Social Security Scotland exercises the powers and duties of the Social Security (Scotland) Act 2018 under the authority of Scottish Ministers.

Legal gateway for any sharing of personal data between organisations

N/A - Existing legal gateways will apply.

In line with ICO Data Sharing Code of Practice, as required by Section 121 of the Data Protection Act 2018.

Organisation

The Department for Work and Pensions (DWP)

Activities

DWP collects and stores personal data in order to make decisions on entitlement to Attendance Allowance and for the ongoing management of Attendance Allowance awards in England, Wales and Scotland, until Scottish awards have been transferred to Social Security Scotland under case transfer to PADP.

Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?

Yes

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data

Include condition from Schedule 1 or 2 of the Data Protection Act 2018

Article 9(2)(b) - processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of social security and social protection law in so far as it is authorised by domestic law or a collective agreement pursuant to domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.

Processing satisfies the conditions of Schedule 1 of the Data Protection Act 2018 in that processing is necessary for the exercise of a function conferred on the Department for Work and Pensions.

Processing of data relating to legal detention will be transferred to Social Security Scotland for PADP. To determine eligibility or to process an individual’s change of circumstances Social Security Scotland will need to know if they have been admitted to or have left legal detention during their award of Attendance Allowance.

Processing does not pertain to the nature of the individual’s conviction and is only in regard to whether they have been legally detained for the purposes of social security. An appropriate policy document is held.

Social Security Scotland will be Data Controller for all client data once the case transfer process is complete.

Contact

Email: Joseph.Scullion@gov.scot

Back to top